1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Queue Full Of Spam

Discussion in 'Plesk for Linux - 8.x and Older' started by stanleyjobson2, Sep 27, 2007.

  1. stanleyjobson2

    stanleyjobson2 Guest

    0
     
    Hello,
    I have a serious problème with my web server. The queue of Qmail is full of Spam, i've tried to empty it, but after some hours, the queue is full.

    I followed instructions in this KB # 766 :

    Code:
    webdispo:~# /var/qmail/bin/qmail-qstat
    messages in queue: 793
    messages in queue but not yet preprocessed: 0
    After :

    Code:
    27 Sep 2007 19:02:32 GMT  #2346873  3198  <suporte@email.com>
            remote  [email]enc.gpv@bol.com.br[/email]
    27 Sep 2007 19:02:33 GMT  #2346942  3212  <suporte@email.com>
            remote  [email]eventosgerenciaeventos@gmail.com[/email]
    27 Sep 2007 19:02:34 GMT  #2347011  3202  <suporte@email.com>
            remote  [email]edgar-nene@hotmail.com[/email]
    27 Sep 2007 19:02:35 GMT  #2347080  3200  <suporte@email.com>
            remote  [email]esfiha@olimpo.com.br[/email]
    27 Sep 2007 19:02:36 GMT  #2347149  3192  <suporte@email.com>
            remote  [email]elsad@usp.br[/email]
    27 Sep 2007 19:02:39 GMT  #2347218  3198  <suporte@email.com>
            remote  [email]e5-7h@terra.com.br[/email]
    27 Sep 2007 19:02:40 GMT  #2347287  3200  <suporte@email.com>
            remote  [email]evair1@arlais.com.br[/email]
    27 Sep 2007 19:02:41 GMT  #2347356  3196  <suporte@email.com>
            remote  [email]e-ma@hotmail.com[/email]
    27 Sep 2007 19:02:45 GMT  #2347494  3200  <suporte@email.com>
            remote  [email]esajapa@yahoo.com.br[/email]
    27 Sep 2007 19:02:46 GMT  #2347563  3199  <suporte@email.com>
            remote  [email]estamos2@bol.com.br[/email]
    27 Sep 2007 19:02:47 GMT  #2347632  3200  <suporte@email.com>
            remote  [email]elizeu@geocities.com[/email]
    27 Sep 2007 19:02:51 GMT  #2347701  3204  <suporte@email.com>
            remote  [email]elsonschmidt@hotmail.com[/email]
    27 Sep 2007 19:02:52 GMT  #2347770  3201  <suporte@email.com>
            remote  [email]edinformal@mtv.com.br[/email]
    27 Sep 2007 19:02:53 GMT  #2347839  3197  <suporte@email.com>
            remote  [email]emdoc@saga.com.br[/email]
    27 Sep 2007 19:02:54 GMT    3200  <suporte@email.com>
            remote  [email]edumimo@terra.com.br[/email]
    27 Sep 2007 19:03:35 GMT  #2345079  3883  <>
            remote  [email]suporte@email.com[/email]
    27 Sep 2007 19:04:41 GMT  #2345171  3804  <>
            remote  [email]suporte@email.com[/email]
    
    After :
    find /var/qmail/queue/mess/ -name 2347908

    Code:
    /var/qmail/queue/mess/22/2347908
    
    After :
    nano /var/qmail/queue/mess/22/2347908

    Code:
    Received: (qmail 14729 invoked by uid 33); 27 Sep 2007 19:02:54 +0200
    Date: 27 Sep 2007 19:02:54 +0200
    To: [email]edumimo@terra.com.br[/email]
    Subject: Reative seu email agora!!
    From: [email]suporte@email.com[/email] <suporte@email.com>
    MIME-Version: 1.0
    Content-type: text/html; charset=iso-8859-1
    Content-Transfer-encoding: 8bit
    Reply-To: [email]suporte@email.com[/email] <suporte@email.com>
    Message-ID: <a773846dd6b0c181781d5c82da16ca81@email.com>
    X-Priority: 3
    X-MSmail-Priority: High
    X-Mailer: Microsoft Office Outlook, Build 11.0.5510
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    X-Mailer: iGMail [[url]www.ig.com.br[/url]]
    X-Originating-Email: [suporte@email.com]
    X-Sender: [email]suporte@email.com[/email]
    X-Originating-IP: [201.201.120.121]
    X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 - pf=0.574081 - pg=0.$
    
    #2347908

    After : # grep 33 /etc/passwd

    But The problem is that, the next command don't work, i talk about this commande :
    # lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php


    I have PLESK 8.2.1 and DEBIAN SARGE.


    What can i do to solve this problem of SPAM ?

    How can I Blacklist the ip's adresses ?

    Thanks to you and sorry for my english, i'm french
     
  2. dynamicnet

    dynamicnet Basic Pleskian

    23
    90%
    Joined:
    Sep 19, 2007
    Messages:
    65
    Likes Received:
    0
    Greetings:

    Note: While typically work with just H-Sphere, H-Sphere uses qmail

    Presuming Debian supports iptables (I've worked on various Unix flavors, but Debian is not one of them), then you could do something like:

    iptables -I INPUT -s 201.201.120.121 -j DROP

    I typically use qmqtool from http://jeremy.kister.net/code/qmqtool/ for cleaning up spam et al.

    You didn't have it in your post, but is UID in /etc/passwd as a regular user (you don't have to post the info)?

    If yes, then check their web document area for either malware uploaded there via web-based injection attacks; and check for vulnerable applications or scripts for which the hacker may be using.

    Thank you.
     
  3. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Side note you probably dont have lsof installed on your system. I dont believe debian sticks that on there by default.

    Ive got a (very) rough procedure outlined for identifying the source of spam here:

    http://www.atomicorp.com/wiki/index.php/Spam
     
  4. stanleyjobson2

    stanleyjobson2 Guest

    0
     
    I,
    When i try to find the PHP script that sends mails from my server, i followed this link :

    http://kb.swsoft.com/article_22_1711_en.html

    But look :


    Code:
    webdispo:~# !/bin/sh(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"
    -bash: !/bin/sh(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@": event not found
    ????
     
  5. stanleyjobson2

    stanleyjobson2 Guest

    0
     
    I've installed the package LSOF, and when i did :




    33 /etc/passwd[/B]

    I have :
    Code:
    www-data:x:33:33:www-data:/var/www:/bin/sh
    ??
     
  6. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    If you look at the procedure outlined in the wiki entry, this tells you it is coming from an exploitable php application.

    Your second problem is you need to create a script from the sw-soft kb article, not paste the output into the shell.
     
  7. stanleyjobson2

    stanleyjobson2 Guest

    0
     
    How to create This Script ??

    The first command didn't work
     
  8. stanleyjobson2

    stanleyjobson2 Guest

    0
     
    Someone for help me ?

    Code:
    webdispo:/# grep 33 /etc/passwd
    www-data:x:33:33:www-data:/var/www:/bin/sh
    
    I found that userid maps to apache. How to find now the script who send the spams ?
     
Loading...